问题现象

现场遇到M9000等Comware V7安全产品NAT不生效问题,可通过以下方法做基本排查。

告警信息

不涉及。

原因分析

 


第一步:在设备上查看NAT配置是否配置正确。注意携带的vpn-instance参数的 acl和nat配置是否都同时携带。

第二步:在probe 视图下通过下面命令查看是NAT配置是否在Blade板卡的内核态下发成功。

display system internal  nat chassis 1 slot  4 cpu  1

chassis chassis-number slot slot-number:显示指定单板的内核的NAT配置信息,chassis-number表示设备在IRF中的成员编号slot-number表示单板所在的槽位号。

cpu cpu-number:显示指定CPU上的内核的NAT配置信息

如下NAT 配置,对应的 Blade内核态的配置信息如下:

[M9010-probe]dis current-configuration  interface  GigabitEthernet  1/5/0/19                                                       

#                                                                                                                                  

interface GigabitEthernet1/5/0/19                                                                                                  

 port link-mode route                                                                                                              


 combo enable copper                                                                                                               


 ip address 2.1.1.1 255.255.255.0                                                                                                  


 nat outbound 2000 address-group 1                                                                                                 


#                                                                                                                                  

return                                                                                                                             

                                                                                                        
[M9010-probe]dis nat address-group 1                                                                                               

  Address group 1:                                                                                                                 

    Port range: 1-65535                                                                                                            

    Address information:                                                                                                           

      Start address         End address                                                                                            

      10.0.1.1              10.0.1.10                                                                                              

                                                                                                                                   

Blade 侧内核态信息:               

[M9010-probe]dis system internal  nat chassis 1 slot  4 cpu  1                                                                     

NAT address group information:                                                                                                     

  Totally 1 NAT address groups.                                                                                                    

  Address group 1:                                                                                                                 

    Port range: 1-65535                                                                                                            

    Address information:                                                                                                           

      Start address         End address                                                                                            

      10.0.1.1              10.0.1.10                                                                                              

                                                                                                                                   

NAT outbound information:                                                                                                          

  Totally 1 NAT outbound rules.                                                                                                    

  Interface: GigabitEthernet1/5/0/19                                                                                               

    ACL: 2000         Address group: 1      Port-preserved: N                                                                      

NO-PAT: N         Reversible: N  


 

如果内核态查不到对应的地址池信息,或者是接口的NAT 配置,开启debugging  nat  config all   收集相关的信息。

debug ip packet acl

debug ip info acl 

可以看本地是否转发和丢包。有固定故障的时候可以快速定位。


 

如果访问目的地址固定。可以把QoS流量统计策略事先配置好,然后在入出接品统计报文收发情况。

 

 

解决办法

不涉及。

建议与总结

不涉及。

案例信息

案例类型:经验案例
案例号:201609100007
创建时间:2016年9月10日
更新时间:2017年8月1日
发布时间:2016/9/12 15:42:40
文章密级:游客可见
有效期:长期有效
发布者:金山【技术大咖】 [j06566]
点击次数:1700
评论平均得分:0
关键词:M9000,NAT
产品线:安全产品
产品系列:M9000系列
产品版本:
故障类型:

常用操作
收藏